Best Practices for IT auditing - Is a session-id necessary for a complete audit trail?

gmctec

Registered
I am looking for references to specific standards, or otherwise credibily citable sources to support the following conjecture:

For data that is classified highly confidential (ie HIPAA), to be comprehensive, a system AUDIT TRAIL should consider the following:

A) How important is a session id, which serves as a session data label to encapsulate all actions and sub-processes a single user does while logged into a specific session?

Our newly delivered system records some information on each individual process (including username, timestamp, ipaddress), but does not generate or record a session_id, which uniquely identifies the session from which all other subprocess actions get executed.
How important is this to have a session_id? Throughout my 20 years experience that type of information has always been available. Now I manage an application that does not have such an ability (to identify a specific session), and the necessity for such a session_id has been called into question.


B) When processing occurs, each individual form, or interface, gets recorded in the application, but not in the database. My question is, how important is it that this information gets recorded to in the database, vs an being recorded into application logfile?

Right now, it is only being recorded in the app side. Only the SQL statement (but not by whom, or source_ip, etc) is being recorded on the database side. (It could be done though if the application passes a process id to the database).
How important is it to have seperate, but reconsilable logs of SQL events from both the database side and application side?


Other type of information I think is important to build AUDIT TRAIL controls around to capture . . .

data out per session
# records out per session

Changes of permissions granted to users groups, and roles onto objects
Changes of user assignments to security groups and roles
Changes to application code and objects
Changes to data structures
Changes to configuration


I am looking authoritative sources that state these type of explicit AUDIT TRAIL controls are a good idea and are in keeping with some type of "best practices".

ISO, HIPAA, NIST, and other frameworks use language that supports the kind of specifics I enumerated here, but they don't enumerate any details (other than logon, logout data, and tracking changes to data).
I am looking for these specific AUDIT TRAIL targets to be enumerated by citable authority, because without prior examples I can show out in the wild, it is unlikey we will get the resources to build out and monitor the controls I described herein.

Help please with pointers to references?

Thanks in advance!
 
Top Bottom